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Abstract 

Logics for security protocol analysis require the formalization of an adversary model 
that specifies the capabilities of adversaries. A common model is the Dolev-Yao model, 
which considers only adversaries that can compose and replay messages, and decipher 
them with known keys. The Dolev-Yao model is a useful abstraction, but it suffers from 
some drawbacks: it cannot handle the adversary knowing protocol-specific information, 
and it cannot handle probabilistic notions, such as the adversary attempting to guess the 
keys. We show how we can analyze security protocols under different adversary models 
by using a logic with a notion of algorithmic knowledge. Roughly speaking, adversaries 
are assumed to use algorithms to compute their knowledge; adversary capabilities are 
captured by suitable restrictions on the algorithms used. We show how we can model 
the standard Dolev-Yao adversary in this setting, and how we can capture more general 
capabilities including protocol-specific knowledge and guesses. 

1 Introduction 

Many formal methods for the analysis of security protocols rely on specialized logics to 
rigorously prove properties of the protocols they study. ^ Those logics provide constructs 
for expressing the basic notions involved in security protocols, such as secrecy, recency, and 
message composition, as well as providing means (either implicitly or explicitly) for de- 
scribing the evolution of the knowledge or belief of the principals as the protocol progresses. 
Every such logic aims at proving security in the presence of hostile adversaries. To analyze 
the effect of adversaries, a security logic specifies (again, either implicitly or explicitly) an 
adversary model, that is, a description of the capabilities of adversaries. Almost all exist- 
ing logics are based on a Dolev-Yao adversary model [Dolev and Yao 1983]. Succinctly, a 
Dolev-Yao adversary can compose messages, replay them, or decipher them if she knows 
the right keys, but cannot otherwise "crack" encrypted messages. 

*A preliminary version of this paper appeared in the Proceedings of the Workshop on Formal Aspects 
of Security, LNCS 2629, pp. 115-132, 2002. This work was done while the second author was at Cornell 
University. 

^Here, we take a very general view of logic, to encompass formal methods where the specification language 
is implicit, or where the properties to be checked are fixed, such as Casper [Lowe 1998], Cryptyc [Gordon 
and Jeffrey 2003], or the NRL Protocol Analyzer [Meadows 1996]. 
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The Dolev-Yao adversary is a useful abstraction, in that it allows reasoning about pro- 
tocols without worrying about the actual encryption scheme being used. It also has the 
advantage of being restricted enough that interesting theorems can be proved with respect 
to security. However, in many ways, the Dolev-Yao model is too restrictive. For example, it 
does not consider the information an adversary may infer from properties of messages and 
knowledge about the protocol that is being used. To give an extreme example, consider 
what we will call the Duck-Duck-Goose protocol: an agent has an n-bit key and, according 
to her protocol, sends the bits that make up its key one by one. Of course, after intercept- 
ing these messages, an adversary will know the key. However, there is no way for security 
logics based on a Dolev-Yao adversary to argue that, at this point, the adversary knows 
the key. Another limitation of the Dolcv-Yao adversary is that it does not easily capture 
probabilistic arguments. After all, the adversary can always be lucky and just guess the 
appropriate key to use, irrespective of the strength of the encryption scheme. 

The importance of being able to reason about adversaries with capabilities beyond those 
of a Dolev-Yao adversary is made clear when we look at the subtle interactions between 
the cryptographic protocol and the encryption scheme. It is known that various protocols 
that are secure with respect to a Dolev-Yao adversary can be broken when implemented 
using encryption schemes with specific properties [Moore 1988], such as encryption systems 
with encryption cycles [Abadi and Rogaway 2002] and ones that use cxclusive-or [Ryan and 
Schneider 1998]. A more refined logic for reasoning about security protocols will have to be 
able to handle adversaries more general than the Dolev-Yao adversary. 

Because they effectively build in the adversary model, existing formal methods for an- 
alyzing protocols are not able to reason directly about the effect of running a protocol 
against adversaries with properties other than those built in. The problem is even worse 
when it is not clear exactly what assumptions are implicitly being made about the adver- 
sary. One obvious assumption that needs to be made clear is whether the adversary is 
an insider in the system or an outsider. Lowe's [1995] well-known man-in-the-middle at- 
tack against the Needham-Schroeder [1978] protocol highlights this issue. Until then, the 
Needham-Schroeder protocol had been analyzed under the assumption that the adversary 
had complete control of the network, and could inject intercept and inject arbitrary mes- 
sages (up to the Dolcv-Yao capabilities) into the protocol runs. However, the adversary 
was always assumed to be an outsider, not being able to directly interact with the protocol 
principals as himself. Lowe showed that if the adversary is allowed to be an insider of the 
system, that is, appear to the other principals as a bona fide protocol participant, then the 
Needham-Schroeder protocol does not guarantee the authentication properties it is meant 
to guarantee. 

In this paper, we introduce a logic for reasoning about security protocols that allows us 
to model adversaries explicitly and naturally. The idea is to model the adversary in terms of 
what the adversary knows. This approach has some significant advantages. Logics of knowl- 
edge [Fagin, Halpern, Moses, and Vardi 1995] have been shown to provide powerful methods 
for reasoning about trace-based executions of protocols. They can be given semantics that 
is tied directly to protocol execution, thus avoiding problems of having to analyze an ide- 
alized form of the protocol, as is required, for example, in BAN logic [Burrows, Abadi, and 
Needham 1990]. A straightforward application of logics of knowledge allows us to conclude 
that in the Duck-Duck-Goose protocol, the adversary knows the key. Logics of knowledge 
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can also be extended with probabilities [Fagin and Halpern 1994; Halpern and Tuttle 1993] 
so as to be able to deal with probabilistic phenomena. Unfortunately, traditional logics of 
knowledge suffer from a well-known problem known as the logical omniscience problem: an 
agent knows all tautologies and all the logical consequences of her knowledge. The reasoning 
that allows an agent to infer properties of the protocol also allows an attacker to deduce 
properties that cannot be computed by realistic attackers in any reasonable amount of time. 

To avoid the logical omniscience problem, we use the notion of algorithmic knowledge 
[Fagin, Halpern, Moses, and Vardi 1995, Chapter 10 and 11]. Roughly speaking, we assume 
that agents (including adversaries) have "knowledge algorithms" that they use to compute 
what they know. The capabilities of the adversary are captured by its algorithm. Hence, 
Dolev-Yao capabilities can be provided by using a knowledge algorithm that can only com- 
pose messages or attempt to decipher using known keys. By changing the algorithm, we 
can extend the capabilities of the adversary so that it can attempt to crack the encryption 
scheme by factoring (in the case of RSA), using differential cryptanalysis (in the case of 
DES), or just by guessing keys, along the lines of a model due to Lowe [2002]. Moreover, our 
framework can also handle the case of a principal sending the bits of its key, by providing 
the adversary's algorithm with a way to check whether this is indeed what is happening. By 
explicitly using algorithms, we can therefore analyze the effect of bounding the resources 
of the adversary, and thus make progress toward bridging the gap between the analysis of 
cryptographic protocols and more computational accounts of cryptography. (See [Abadi 
and Rogaway 2002] and the references therein for a discussion on work bridging this gap.) 
Note that we need both traditional knowledge and algorithmic knowledge in our analysis. 
Traditional knowledge is used to model a principal's beliefs about what can happen in the 
protocol; algorithmic knowledge is used to model the adversary's computational limitations 
(for example, the fact that it cannot factor). 

The focus of this work is on developing a general and expressive framework for modeling 
and reasoning about security protocols, in which a wide class of adversaries can be repre- 
sented naturally. Therefore, we emphasize the expressiveness and representability aspects 
of the framework, rather than studying the kind of security properties that are useful in 
such a setting or developing techniques for proving that properties hold in the framework. 
These are all relevant questions that need to be pursued once the framework proves useful 
as a specification language. 

The rest of the paper is organized as follows. In Section 3, we define our model for pro- 
tocol analysis and our logic for reasoning about implicit and explicit knowledge, based on 
the well-understood multiagent system framework. In Section 4, we show how to model dif- 
ferent adversaries from the literature. These adversaries are passive, in that they eavesdrop 
on the communication but do not attempt to interact with the principals of the system. 
In Section 4.2, we show how the framework can accommodate active adversaries, that is, 
adversaries that can actively interact with the principals by intercepting, forwarding, and 
replacing messages. We discuss related work in Section 5. 

2 Modeling Security Protocols 

In this section, we review the multiagent system framework of Fagin et al. [1995, Chapters 
4 and 5], and show it can be tailored to represent security protocols. 
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2.1 Multiagent Systems 

The multiagent systems framework provides a model for knowledge that has the advantage 
of also providing a discipline for modeling executions of protocols. A multiagent system 
consists of n agents, each of which is in some local state at a given point in time. We assume 
that an agent's local state encapsulates all the information to which the agent has access. 
In the security setting, the local state of an agent might include some initial information 
regarding keys, the messages she has sent and received, and perhaps the reading of a clock. 
In a poker game, a player's local state might consist of the cards he currently holds, the bets 
made by other players, any other cards he has seen, and any information he may have about 
the strategies of the other players (for example, Bob may know that Alice likes to bluff, 
while Charlie tends to bet conservatively). The basic framework makes no assumptions 
about the precise nature of the local state. 

We can then view the whole system as being in some global state, which is a tuple 
consisting of each agent' local state, together with the state of the environment, where the 
environment consists of everything that is relevant to the system that is not contained in 
the state of the agents. Thus, a global state has the form (sg, si, . . . , where Se is the 
state of the environment and Si is agent i's state, for i = 1, . . . ,n. The actual form of the 
agents' local states and the environment's state depends on the application. 

A system is not a static entity. To capture its dynamic aspects, we define a run to be 
a function from time to global states. Intuitively, a run is a complete description of what 
happens over time in one possible execution of the system. A point is a pair (r, m) consisting 
of a run r and a time m. For simplicity, we take time to range over the natural numbers 
in the remainder of this discussion. At a point (r, m) , the system is in some global state 
r{m). If r(m) = (sei^i, . . . ,Sn)) then we take ri{rn) to be Sj, agent i's local state at the 
point (r, m). We formally define a system TZ to consist of a set of runs (or executions). It is 
relatively straightforward to model security protocols as systems. Note that the adversary 
in a security protocol can be modeled as just another agent. The adversary's information 
at a point in a run can be modeled by his local state. 

2.2 Specializing to Security 

The multiagent systems framework is quite general. We have a particular application in 
mind, namely reasoning about security protocols, especially authentication protocols. We 
now specialize the framework in a way appropriate for reasoning about security protocols. 

Since the vast majority of security protocols studied in the literature are message-based, 
a natural class of multiagent systems to consider is that of message passing systems [Fagin, 
Halpern, Moses, and Vardi 1995]. Let A1 be a fixed set of messages. A history for agent 
i (over M) is a sequence of elements of the form send(j, m) and recv(m), where m G M.. 
We think of send(j, m) as representing the event "message m is sent to j" and recv(m) as 
representing the event "message m is received.". (We can also allow events corresponding to 
internal actions; however, since internal actions do not play any role in this paper, we choose 
to ignore those events for the time being.) Intuitively, i's history at (r, m) consists of z's 
initial state, which we take to be the empty sequence, followed by the sequence describing i's 
actions up to time m. If i performs no actions in round m, then her history at (r, m) is the 
same as its history at (r, m — 1). In such a message-passing system, we speak of send(j, m) 
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and recv(m) as events. For an agent i, let ri{m) be agent z's history in (r, m). We say that 
an event e occurs in i 's history in round m + 1 of run r if e is in (the sequence) ri{m + 1) 
but not in ri{m). 

In a message-passing system, the agent's local state at any point is her history. Of 
course, if h is the history of agent i at the point {r,m), then we want it to be the case 
that h describes what happened in r up to time m from i's point of view. To do this, we 
need to impose some consistency conditions on global states. In particular, we want to 
ensure that message histories do not shrink over time, and that every message received in 
round m corresponds to a message that was sent at some earlier round. 

Given a set A4 of messages, wc define a message-passing system (over A4) to be a system 
satisfying the following constraints at all points (r, m) for each agent i: 

MPl. rj(m) is a history over M. 

MP2. For every event recv(m) in ri{m) there exists a corresponding event send(j, m) in 
rj{m), for some j. 

MPS. rj(0) is the empty sequence and ri{m + 1) is either identical to ri{m) or the result 
of appending one event to ri{m). 

MPl says that an agent's local state is her history, MP2 guarantees that every message 
received at round m corresponds to one that was sent earlier, and MPS guarantees that 
histories do not shrink. 

A security system is a message passing system where the message space has a structure 
suitable for the interpretation of security protocols. Therefore, a security system assumes 
a set V of plaintexts, as well as a set /C of keys. For every key k G /C, there corresponds 
an inverse key G /C (which could be equal to k). A encryption scheme C over V and 
/C is the closure M. of V and fC under a concatenation operation cone : M. x M. ^ M, 
decomposition operators first : M. ^ M. and second : 7W ^ At, an encryption operation 
encr : M x IC ^ M., and a decryption operation deer : M x JC ^ Ai, subject to the 
constraints: 

first{conc{mi, m2)) = mi 
s econd{ concern I, ir\2)) = m2 
decr{encr{m, k),k~^) = m. 

In other words, decryption an encrypted message with the inverse of the key used to encrypt 
the message yields the original message. (For simplicity, we restrict ourselves to nonproba- 
bilistic encryption schemes in this paper.) We often write mi-m2 for conc(mi, m2) and HmHk 
for encr{m, k). There is no difficulty in adding more operations to the encryption schemes, 
for instance, to model hashes, signatures, or the ability to take the exclusive-or of two terms. 
Wc make no assumption in the general case as to the properties of encryption. Thus, for 
instance, most concrete encryption schemes allow collisions, that is, UmiUfc^ = {|m2[}fe2 with- 
out mi = 7712 and fci = ^2- (In contrast, most security protocol analyses assume that there 
are no properties of encryption schemes beyond those specified above; this is part of the 
Dolev-Yao adversary model, which we examine in more detail in Section 4.1.1.) 
Define C on as the smallest relation satisfying the following constraints: 
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(1) m C m 



(2) if m C mi, then m C mi • m2 

(3) if m C m2, then m C mi • m2 

(4) if m C mi, then m C -{Irnillk. 

Intuitively, mi C m2 if mi could be used in the construction of m2. For example, if m = 
Unilfk = {|fTi2l}-k5 then both mi III m and m2 !^ m. Therefore, if we want to establish that 
mi C m2 for a given mi and m2, then we have to look at all the possible ways in which 
m2 can be taken apart, either by concatenation or encryption, to finally decide if mi can 
be derived from m2. Clearly, if encryption does result in collisions, there is a single way in 
which m2 can be taken apart. 

To analyze a particular security protocol, we first derive the multiagent system corre- 
sponding to the protocol, using the approach of Fagin et al. [1995, Chapter 5]. Intuitively, 
this multiagent system contains a run for every possible execution of the protocol, for in- 
stance, for every possible key used by the principals, subject to the restrictions above (such 
as MP1-MP3). 

Formally, a protocol for agent i is a function from her local state to the set of actions 
that she can perform at that state. For ease of exposition, the only actions we consider 

here are those of sending messages (although we could easily incorporate other actions, 
such as choosing keys, or tossing coins to randomize protocols). A joint protocol P = 
{Pe, Pi, . . . , Pn), consisting of a protocol for each of the agents (including a protocol for the 
environment), associates with each global state a set of possible joint actions (i.e., tuples 
of actions) in the obvious way. Joint actions transform global states. To capture their 
effect, we associate with every joint action a a function r(a) from global states to global 
states. This function captures, for instance, the fact that a message sent by an agent will 
be received by another agent, and so on. Given a context consisting of a set of initial global 
states, an interpretation r for the joint actions, and a protocol Pe for the environment, 
we can generate a system corresponding to the joint protocol P in a straightforward way. 
Intuitively, the system consists of all the runs r that could have been generated by the joint 
protocol P, that is, for all m, r{m + 1) is the result of applying T(a) to r(m), where a is a 
joint action that could have been performed according to the joint protocol P to r{m)? 

3 A Logic for Security Properties 

The aim is to be able to reason about properties of security systems as defined in the last 
section, including properties involving the knowledge of agents in the system. To formalize 
this type of reasoning, we first need a language. The logic of algorithmic knowledge [Fagin, 
Halpern, Moses, and Vardi 1995, Chapters 10 and 11] provides such a framework. It extends 
the classical logic of knowledge by adding algorithmic knowledge operators. 

^It is also possible to represent a protocol other ways, such as in terms of strand spaces [Thayer, Herzog, 
and Guttman 1999]. Whichever representation is used, it should be possible to get a system corresponding 
to the protocol. For example, Halpern and Pucella [2003] show how to get a system from a strand space 

representation. For the purposes of this paper, the precise mechanism used to derive the multiagent system 
is not central, although it is an important issue for the development of formal tools for analyzing protocols. 
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The syntax of the logic for algorithmic knowledge is straightforward. Starting with 
a set $0 of primitive propositions, which we can think of as describing basic facts about the 
system, such as "the key is k" or "agent A sent the message m to i?", formulas of Cf^{^Q) 
are formed by closing off under negation, conjunction, and the modal operators Ki, . . ., 
and Xi, . . . 

The formula Kiip is read as "agent i (implicitly) knows the fact 99", while Xi(p is read 
as "agent i explicitly knows fact (p''\ In fact, we will read Xiip as "agent i can compute fact 
(^" . This reading will be made precise when we discuss the semantics of the logic. As usual, 
we take V to be an abbreviation for -i(-i</C A -'■0) and =^ to be an abbreviation for 

— V if). 

The standard models for this logic are based on the idea of possible worlds and Kripke 
structures [Kripke 1963]. Formally, a Kripke structure M is a tuple (5, tt, /Ci, . . . , /C^), 
where 5 is a set of states or possible worlds, tt is an interpretation which associates with 
each state in S" a truth assignment to the primitive propositions (i.e., 7r(s)(p) G {true, false} 
for each state s € S" and each primitive proposition p), and /Cj is an equivalence relation 
on S (recall that an equivalence relation is a binary relation which is reflexive, symmetric, 
and transitive). tCi is agent z's possibility relation. Intuitively, (s,t) G ICi if agent i cannot 
distinguish state s from state t (so that if s is the actual state of the world, agent i would 
consider t a possible state of the world). 

A system can be viewed as a Kripke structure, once we add a function tt telling us how 
to assign truth values to the primitive propositions. An interpreted system I consists of 
a pair (7^, tt), where 7^ is a system and tt is an interpretation for the propositions in $ 
that assigns truth values to the primitive propositions at the global states. Thus, for every 
p G $ and global state s that arises in IZ, we have 7r(s)(j3) G {true, false}. Of course, tt 
also induces an interpretation over the points of TZ; simply take 7r(r, m) to be 7r(r(rn)). We 
refer to the points of the system TZ as points of the interpreted system X. 

The interpreted system Z = (TZ, tt) can be made into a Kripke structure by taking the 
possible worlds to be the points of TZ, and by defining /Cj so that ((r, m), {r',m')) G /Cj if 
ri{m) = r[{m'). Clearly /Cj is an equivalence relation on points. Intuitively, agent i considers 
a point (r', m!) possible at a point (r, m) if i has the same local state at both points. Thus, 
the agents' knowledge is completely determined by their local states. 

To account for Xj, we provide each agent with a knowledge algorithm that he uses 
to compute his knowledge. We will refer to X^ip as algorithmic knowledge. An interpreted 
algorithmic knowledge system has the form {TZ, tt, Ai, . . . , A„), where {TZ, tt) is an interpreted 
system and Aj is the knowledge algorithm of agent i. In local state the agent computes 
whether he knows by applying the knowledge algorithm A to input {ip,i). The output 
is either "Yes", in which case the agent knows ip to be true, "No", in which case the 
agent does not know (p to be true, or "?", which intuitively says that the algorithm has 
insufficient resources to compute the answer. It is the last clause that allows us to deal with 
resource-bounded reasoners. 

We define what it means for a formula ip to be true (or satisfied) at a point (r, m) in an 
interpreted system I, written {I, r, m) \= ip, inductively as follows: 

{I, r,m) \= p if 7r(r, m){p) = true 

{I, r, m) \= -lyj if {I, r,m) y= (p 
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(X, r, m) \= ip /\ ip ii {I , r, m) \= ip and {I, r,m) \= ip 

{I, r, m) \= Knp if (X, r,m) \= ip for all (r', m') such that ri{m) = r[{m') 

(X,r,m) H ^i^' if Ai((^,ri(m)) = "Yes". 

The first clause shows how we use the vr to define the semantics of the primitive propositions. 
The next two clauses, which define the semantics of and A, are the standard clauses from 
propositional logic. The fourth clause is designed to capture the intuition that agent i knows 
if exactly if if is true in all the worlds that i thinks are possible. The last clause captures 
the fact that explicit knowledge is determined using the knowledge algorithm of the agent. 

As we pointed out, we think oiKi as representing implicit knowledge, facts that the agent 
implicitly knows, given its information, while Xi represents explicit knowledge, facts whose 
truth the agent can compute explicitly. As is well known, implicit knowledge suffers from the 
logical omniscience problem; agents implicitly know all valid formulas and agents implicitly 
know all the logical consequences of their knowledge (that is, [K^ A Ki[ip ip)) =}- Kitp is 
valid). Explicit knowledge does not have that problem. Note that, as defined, there is no 
necessary connection between Xiip and Ki^p. An algorithm could very well claim that agent 
i knows ip (i.e., output "Yes") whenever it chooses to, including at points where Kip docs 
not hold. Although algorithms that make mistakes are common, we are often interested 
in knowledge algorithms that are correct. A knowledge algorithm is sound for agent i 
in the system X if for all points (r, m) of X and formulas (p, k{ip,ri{m)) = "Yes" implies 
(X, r, m) \= Kiip, and k.{ip,ri{m)) = "No" implies {X,r,m) \= ^Ki(p. Thus, a knowledge 
algorithm is sound if its answers are always correct. 

To reason about security protocols, we use the following set $o of primitive propositions: 

• sendj(m): agent i sent message m; 

• recvj(m): agent i received message m; 

• hasi(m): agent i has message m. 

Intuitively, sendi(m) is true when agent i has sent message m at some point, and recvi(m) is 
true when agent i has received message m at some point. Agent i has a submessage mi at 
a point {r,m), written hasi(mi), if there exists a message m2 G such that recv(m2) is in 
ri{m), the local state of agent i, and mi C 1x12. Note that the hasj predicate is not restricted 
by issues of encryption. If hasi({|m|}k) holds, then so does hasi(m), whether or not agent i 
knows the key k~^. Intuitively, the hasj predicate characterizes the messages that agent i 
has implicitly in her possession. 

An interpreted algorithmic knowledge security system is simply an interpreted algorith- 
mic knowledge system X = (7^, 7r,Ai, . . . , A„), where 7^ is a security system, the set $0 of 
primitive propositions includes ^q, and tt is an acceptable interpretation, that is, it gives 
the following fixed interpretation to the primitive propositions in $q: 

• 7r|^(r, m)(sendj(m)) = true if and only if there exists j such that send(j, m) G ri{m) 

• 7r^(r, m)(recvj(m)) = true if and only if recv(m) G ri{m) 
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• 7r^(r, m)(hasi(m)) = true if and only if there exists m' such that m C m' and 
recv(m') G ri{m). 

This language can easily express the type of confidentiality (or secrecy) properties that 
we focus on here. Intuitively, we want to guarantee that throughout a protocol interaction, 
the adversary does not know a particular message. Confidentiality properties are stated 
naturally in terms of knowledge, for example, "agent 1 knows that the key /e is a key known 
only to agent 2 and herself". Confidentiality properties are well studied, and central to most 
of the approaches to reasoning about security protocols.^ Higher-level security properties, 
such as authentication properties, can often be established via confidentiality properties. 
See [Syverson and Cervesato 2001] for more details. 

To illustrate some of the issues involved, consider an authentication protocol such as 
the Needham-Schroeder-Lowe protocol [Lowe 1995]. A simplified version of the protocol is 
characterized by the following message exchange between two agents A and B: 

A^B: {nA,A\k^ 
B ~> A: \nA,nB,B^kA 
A^ B:\nBhB- 

An authentication property of this protocol can be expressed informally as follows: under 
suitable assumptions on the keys known to the adversary and the fact that B is running his 
part of the protocol, A knows that ua and ub are kept confidential between her and BJ^ 
^From this, she knows that she is interacting with S, because she has received a message 
containing ua, which only B could have produced. Similarly, A also knows that when B 
receives her message, B will know that he is interacting with A, because only A knows the 
nonce which is part of the last message. Similar reasoning can be applied to B. This 
argument relies on the confidentiality of the nonces Ua and n;,. Using knowledge, this is 
simply the fact that no agents other than A and B know has.j(n/i) or haSj(nB). 

The fact that the implicit knowledge operator suffers from logical omniscience is particu- 
larly relevant here. At every point where an adversary i intercepts a message {|n^, ns, , 
Ki\\dtSi{nA) is true (since ua C ^ua-, nB, B^^^), and hence the adversary knows that he has 
seen the nonce ua, irrespective of whether he knows the decryption key corresponding to 
kA)- This shows that the implicit knowledge operator does not capture important aspects 
of reasoning about security. The adversary having the implicit knowledge that ua is part 
of the message does not suffice, in general, for the adversary to explicitly know that ua is 
part of the message. Intuitively, the adversary may not have the capabilities to realize he 
has seen ua- 

A more reasonable interpretation of confidentiality in this particular setting is XjhaSj(n^): 
the adversary does not explicitly know, that is, cannot compute, whether he has seen the 
nonce ha- Most logics of security introduce special primitives to capture the fact that the 
adversary can see a message m encrypted with key k only if he has access to the key k. 

general definition of secrecy in terms of knowledge is presented by Halpern and O'Neill [2002] in the 
context of information flow, a setting that does not take into account cryptography. 

*It may be more reasonable to talk about belief rather than knowledge that ua and ns arc kept confi- 
dential. For simplicity, we talk about knowledge in this paper. Since most representations of belief suffer 
from logical omniscience, what we say applies to belief as well as knowledge. 
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Doing this hardwires the capabihties of the adversary into the semantics. Changing these 
capabihties requires changing the semantics. In our case, we simply need to supply the ap- 
propriate knowledge algorithm to the adversary, capturing his capabilities. In the following 
section, we examine in more detail the kind of knowledge algorithms that correspond to 
interesting capabilities. 

4 Modeling Adversaries 

As we showed in the last two sections, interpreted algorithmic knowledge security systems 
can be used to provide a foundation for representing security protocols, and support a 
logic for writing properties based on knowledge, both traditional (implicit) and algorithmic 
(explicit). For the purposes of analyzing security protocols, we use traditional knowledge to 
model a principal's beliefs about what can happen in the protocol, while we use algorithmic 
knowledge to model the adversary's capabilities, possibly resource-bounded. To interpret 
algorithmic knowledge, we rely on a knowledge algorithm for each agent in the system. 
We use the adversary's knowledge algorithm to capture the adversary's ability to draw 
conclusions from what he has seen. In this section, we show how we can capture different 
capabilities for the adversary in a natural way in this framework. We first show how to 
capture the standard model of adversary due to Dolev and Yao. We then show how to 
account for the adversary in the Duck-Duck-Goose protocol, and the adversary considered 
by Lowe [2002] that can perform self-validating guesses. 

We start by considering passive (or eavesdropping) adversaries, which simply record 
every message exchanged by the principals; in Section 4.2, we consider active adversaries. 
For simplicity, we assume a single adversary per system; our results extend to the general 
case immediately, but the notation becomes cumbersome. 

4.1 Passive Adversaries 

Passive adversaries can be modeled formally as follows. An interpreted algorithmic knowl- 
edge security system with passive adversary a (a E {1, ... ,n}) is an interpreted algorithmic 
knowledge security system I = (7^, tt, Ai, . . . , A„) satisfying the following constraints at all 
points (r, m) : 

PI. ra{m) consists only of recv(m) events. 

P2. For all j and events send(j, m) in rj{m), there exists an event recv(m) in ra{m). 

PI captures the passivity of the adversary — he can only receive messages, not send any; P2 
says that every message sent by a principal is copied to the adversary's local state. We next 
consider various knowledge algorithms for the adversary. 

4.1.1 The Dolev- Yao Adversary 

Consider the standard Dolev- Yao adversary [Dolev and Yao 1983]. This model is a combi- 
nation of assumptions on the encryption scheme used and the capabilities of the adversaries. 
Specifically, the encryption scheme is seen as the free algebra generated by V and K, over 
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operations • and -J || . Perhaps the easiest way to formahze this is to view the set M as the 
set of expressions generated by the grammar 

m ::= p | k | ^m^k | m • m 

(with p gV and k G /C). We then identify elements of A4 under the equivalence {|{|fTi|}k^|^-i = 
m. We assume that there are no collisions; messages always have a unique decomposition. 
The only way that -{|m|}-k = -{|m'|}-k/ is if m = m' and k = k'. We also make the standard 
assumption that concatenation and encryption have enough redundancy to recognize that 
a term is in fact a concatenation mi • m2 or an encryption {|m^k. 

The Dolev-Yao model can be formalized by a relation H h^y m between a set H of 
messages and a message m. (Our formalization is equivalent to many other formalizations 
of Dolev-Yao in the literature, and is similar in spirit to that of Paulson [1998].) Intuitively, 
H \-0Y m means that an adversary can "extract" message m from a set of received messages 
and keys H, using the allowable operations. The derivation is defined using the following 
inference rules: 

m e H jj" hpy {|m|}k H\-oY^~^ H hpy mi ■ m2 H hpy mi • m2 

In our framework, to capture the capabilities of a Dolev-Yao adversary, we specify how 
the adversary can tell if she in fact has a message, by defining a knowledge algorithm A°"^ 
for adversary i. Recall that a knowledge algorithm for agent i takes as input a formula 
and agent i's local state (which we are assuming contains the messages received by i). The 
most interesting case in the definition of A?^ is when the formula is hasi(m). To compute 
Af^(haSi(m), the algorithm simply checks, for every message m' received by the adversary, 
whether m is a sub message of m', according to the keys that are known to the adversary. 
We assume that the adversary's initial state consists of the set of keys initially known by 
the adversary. This will typically contain, in a public-key cryptography setting, the public 
keys of all the agents. We use mitkeys{£) to denote the set of initial keys known by agent i 
in local state £. (Recall that a local state for agent i is the sequence of events pertaining to 
agent i, including any initial information in the run, in this case, the keys initially known.) 
The function submsg, which can take apart messages created by concatenation, or decrypt 
messages as long as the adversary knows the decryption key, is used to check whether m is 
a submessage of m'. A?'^(haSj(m),^) is defined as follows: 

if m G initkeys{l) then return "Yes" 

K = keysof{£) 

for each recv(m') in I 

if submsg {m, m', K) then 
return "Yes" 
return "No". 

The auxiliary functions used by the algorithm are given in Figure 1. 

According to the Dolev-Yao model, the adversary cannot explicitly compute anything 

interesting about what other messages agents have. Hence, for other primitives, including 
hasj(m) for j ^ i, Af^ returns "?". For formulas of the form Kjip and Xjip, Af^ also 
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submsg{m, m', K) : if m = m' then 

return true 
if m' is Imi^k Siud k^^ € K then 

return suhmsg{m, mi, K) 
if m' is mi • m2 then 

return submsg{m, mi, i^T) V submsg{m, m^, K) 
return false 



getkeys(m, K) : if m G /C then 

return {m} 
if m' is •{|mi[}-k and k^^ € K then 

return getkeys{mi, K) 
if m' is mi • m2 then 

return g etkeys {mi, K) U getkeys{m2, K) 
return {} 



keysof{£) : K <— initkeys{i) 

loop until no change in 

K ■i^ U getkeys{m,K) 

recv(m)e^ 

return if 



Figure 1: Dolev-Yao knowledge algorithm auxiliary functions 



returns "?" . For Boolean combinations of formulas, Af^ returns the corresponding Boolean 
combination (where the negation of "?" is "?", the conjunction of "No" and "?" is "No", 
and the conjunction of "Yes" and "?" is "?") of the answer for each hasj(m) query. 

The following result shows that an adversary using Af^ recognizes (i.e., returns "Yes" 
to) hasi(m) in state i if and only if m exactly the messages determined to be in the set of 
messages that can be derived (according to h^y) from the messages received in that state 
together with the keys initially known, Moreover, if a hasj(m) formula is derived at the 
point (r, m), then hasi(m) is actually true at (r, m) (so that Af^ is sound). 

Proposition 4.1. Let I = (7^, vr^, Ai, . . . , A„) be an interpreted algorithmic knowledge se- 
curity system where Aj = Af^. Then 

(X, r, m) 1= Xj(haSj(m)) if and only if {m : recv(m) G rj(m)} U initkeys{i) h^y m. 

Moreover, if {I,r,m) \= Xi{hasi{m)) then {I,r,m) \= hasi(m). 

Proof. Let K = keysof {ri{m)). We must show that A?'*'(haSj(m), rj(m)) = "Yes" if and only 
if if U {m : recv(m) G ri{m)} h 

It is immediate from the description of A?"^ and \~dy 
that this is true if m G initkeys{ri{m)). If m ^ initkeys{ri{m)), then A°'^(haSj(m), rj(m)) = 
"Yes" if and only if submsg{m, m',K) = true for some m' such that recv(m') G ri{m). Next 
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observe that submsg{m,m' , K) = true if and only if K U {m'} h^y m: the "if" direction 
follows by a simple induction on the length of the derivation; the "only if" direction follows 
by a straightforward induction on the structure of m. Finally, observe that if M is a set of 
messages, then K U M hoy m if and only ii K U {m'} {-^y m for some m' G M. The "if" 
direction is trivial. The "only if" direction follows by induction on the number of times the 
rule "from rr\' E H infer H h^iy m'" is used to derive some m' G M. If it is never used, 
then it is easy to see that K h^jy m'. If it is used more than once, and the last occurrence 
is used to derive m', then it is easy to see that K U {m'} h^iy m' (the derivation just starts 
from the last use of this rule). The desired result is now immediate. I 

In particular, if we have an interpreted algorithmic knowledge security system with a 
passive adversary a such that = A°^, then Proposition 4.1 captures the knowledge of a 
passive Dolev-Yao adversary. 

4.1.2 The Duck-Duck-Goose Adversary 

The key advantage of our framework is that we can easily change the capabilities of the 
adversary beyond those prescribed by the Dolev-Yao model. For example, we can capture 
the fact that if the adversary knows the protocol, she can derive more information than she 
could otherwise. For instance, in the Duck-Duck-Goose example, assume that the adversary 
maintains in licr local state a list of all the bits received corresponding to the key of the 
principal. We can easily write the algorithm so that if the adversary's local state contains 
all the bits of the key of the principal, then the adversary can decode messages that have 
been encrypted with that key. Specifically, assume that key k is being sent in the Duck- 
Duck-Goose example. Then for an adversary i, hasj(k) will be false until all the bits of the 
key have been received. This translates immediately into the following algorithm Af°°: 

if all the bits recorded in i form k then 
return "Yes" else return "No" . 

kf°° handles other formulas in the same way as Af^. 

Of course, nothing keeps us from combining algorithms, so that we can imagine an 
adversary intercepting both messages and key bits, and using an algorithm Aj that is a 
combination of the Dolev-Yao algorithm and the Duck-Duck-Goose algorithm; ki{ip,£) is 
defined as follows: 

ifAf^{ip,£) = "Yes" then 

return "Yes" 
else return kf°'^{(p,£). 

This assumes that the adversary knows the protocol, and hence knows when the key bits 
are being sent. The algorithm above captures this protocol-specific knowledge. 

4.1.3 The Lowe Adversary 

For a more realistic example of an adversary model that goes beyond Dolev-Yao, consider 
the following adversary model introduced by Lowe [2002] to analyze protocols subject to 
guessing attacks. The intuition is that some protocols provide for a way to "validate" the 
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guesses of an adversary. For a simple example of this, here is a simple challenge-based 
authentication protocol: 

A-^ S:A 
S ^ A : Ug 

Intuitively, A tells the server S that she wants to authenticate herself. S replies with a 
challenge n^. A sends back to S the challenge encrypted with her password pa- Presumably, 
S knows the password, and can verify that she gets H^T-s^'Pa- Unfortunately, an adversary 
can overhear both Ug and and can "guess" a value g for pa and verify his guess by 

checking if {ug^g = ^ng^p^- The key feature of this kind of attack is that the guessing (and 
the validation) can be performed offline, based only on the intercepted messages. 

To account for this capability of adversaries is actually fairly complicated. We present 
a slight variation of Lowe's description, mostly to make it notationally consistent with the 
rest of the section; we refer the reader to Lowe [2002] for a discussion of the design choices. 

Lowe's model relies on a basic one-step reduction function, S" >/ m, saying that the 
messages in S can be used to derive the message m. This is essentially the same as \-oy-, 
except that it represents a single step of derivation. Note that the derivation relation \>i is 
"tagged" by the kind of derivation performed [1). 

{m, k} D>enc \m^k 

{mi • 1112} >fst mi 
{mi • m2} Osnd ni2. 

Lowe also includes a reduction to derive mi • m2 from mi and m2. We do not add this 
reduction to simplify the presentation. It is straightforward to extend our approach to deal 
with it. 

Given a set H of message, and a sequence t of one-step reductions, we define inductively 
the set [H\t of messages obtained from the one-step reductions given in t: 

H 

{[HVJ{m}\t ifSCH 
1 undefined otherwise. 

Here, () denotes the empty trace, and ti ■ t2 denotes trace concatenation. A trace t is said 
to be monotone if, intuitively, it does not perform any one-step reduction that "undoes" a 
previous one-step reduction. For example, the reduction {m, k}>{|m|}-k undoes the reduction 
{{]m[}-k, k~^} > m. (See Lowe [2002] for more details on undoing reductions.) 

We say that a set H of messages validates a guess m if, intuitively, H contains enough 
information to verify that m is indeed a good guess. Intuitively, this happens if a value v 
(called a validator) can be derived from the messages in H (J {m} in a way that uses the 
guess m, and either that (a) validator v can be derived in a different way from U {m}, (b) 
the validator v is already in ifu{m}, or (c) the validator v is a key whose inverse is derivable 
from H U {m}. For example, in the protocol exchange at the beginning of this section, the 
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adversary sees the messages H = {Ug, ^ng^p^}, and we can check that H validates the guess 
m = Pa- clearly, {ns,m} [>enc il'^sll'pai Hji-sllpa & H U {m}. In this case, the validator 
■fl^sB-pa is already present in H U {m}. For other examples of validation, we again refer to 
Lowe [2002]. 

We can now define the relation i7 hj, m that says that m can be derived from by a 
Lowe adversary. Intuitively, hj, m if m can be derived by Dolev-Yao reductions, or m can 
be guessed and validated by the adversary, and hence susceptible to an attack. Formally, 
H m if and only if H hj^y m or there exists a monotone trace t, a set S, and a "validator" 

V such that 

(1) [H U {m}]t is defined; 

(2) S>iv is in t; 

(3) there is no trace t' such that S C [H]fi; and 

(4) either: 

(a) there exists (5', I') ^ {S, I) with 5" >i' v in t 

(b) V e H\J {m} or 

(c) veK and v''^ e [H U {m}]t. 

It is not hard to verify that this formalization captures the intuition about validation given 
earlier. Specifically, condition (1) says that the trace t is well-formed, condition (2) says 
that the validator v is derived from HU {m}, condition (3) says that deriving the validator 

V depends on the guess m, and condition (4) specifies when a validator v validates a guess 
m, as given earlier. 

We would now like to define a knowledge algorithm A^' to capture the capabilities of 
the Lowe adversary. Again, the only case of real interest is what A^" does on input hasj(m). 
A^{hasi{m),£) is defined as follows: 

if Af^(hasi(m),£) = "Yes" then 

return "Yes" 
if guess{m, £) then 

return "Yes" 
return "No". 

The auxiliary functions used by the algorithm are given in Figure 2. (We have not concerned 
ourselves with matters of efficiency in the description of k\] again, see Lowe [2002] for a 
discussion of implementation issues.) 

As before, we can check the correctness and soundness of the algorithm: 

Proposition 4.2. Let I = (7^, 7r^,Ai, . . . ,A„) he an interpreted algorithmic knowledge se- 
curity system where ki = k\. Then 

(X, r, m) 1= Xj(haSi(m)) if and only if {m : recv(m) G ri{m)} U initkeys{£) m. 

Moreover, if{I,r,m) |= Xj(hasi(m)) then {I,r,m) \= hasi(m). 
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guess{m,£) : H reduce{{m : recv(m) in £} U mitkeys{£)) U {m} 
reds <— {} 

loop until reductions (H) — reds is empty 

{S, l,v) pick an element of reductions {H) — reds 
if 3(5', I', v) e reds s.t. S' S and I' + I then 

return "Yes" 
ii V (z H then 

return "Yes" 
if V e IC and G -ff then 

return "Yes" 
reds <— reds U {(S, Z, v)} 
H ^HU{v} 
return "No" 

reduce{H) : loop until no change in H 
r reductions (H) 
for each (S", / , w) in r 
U {i;} 

return H 

reductions (H) : reds ^ {} 

for each mi • m2 in H 

reds <— {({m},fst, mi), ({m},snd, m2)} 
for each mi, m2 in H 

if m2 G /C and su6({|mi ) ^) then 

reds ^ {({mi,m2},enc, -Jmi^ma)} 
if mi is {|m'|}k and m2 is k.~^ then 
reds {({mi, m2}, dec, m')} 
return reds 

sub{m, H) : if H = {m} then 
return true 
ii H = {mi • m2} then 

return sub{m, {mi}) V sub{m, {m2}) 
if = {^m'B-k} then 

return sub{m, {rr\'}) 
if \H\ > 1 and if = {m'} U H' then 

return sub{rr\, {m'}) V sub{rr\, H') 
return false 



Figure 2: Lowe knowledge algorithm auxiliary functions 
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Proof. Let K = keysof {ri{m)) . The proof is similar in spirit to that of Proposition 4.1, 
using the fact that if m ^ initkeys{ri{m)) and K U {m' | recv(m') € rj(m)} \/dy then 
guess{m,ri{m)) = "Yes" if and only if U {m | recv(m) € ri{m)} m. The proof of this 
fact is essentially given by Lowe [2002], the algorithm A^" being a direct translation of the 
CSP process implementing the Lowe adversary. Again, soundness with respect to haSj(m) 
follows easily. I 



4.2 Active Adversaries 

Up to now we have considered passive adversaries, which can intercept messages exchanged 
by protocol participants, but cannot actively participate in the protocol. Passive adversaries 
are often appropriate when the concern is confidentiality of messages. However, there are 
many attacks on security protocols that do not necessarily involve a breach of confidentiality. 
For instance, some authentication properties are concerned with ensuring that no adversary 
can pass himself off as another principal. This presumes that the adversary is able to interact 
with other principals. Even when it comes to confidentiality, there are clearly attacks that 
an active adversary can make that cannot be made by a passive adversary. 

To analyze active adversaries, we need to consider what messages they can send. This, 
in turn depends on their capabilities, which we already have captured using knowledge 
algorithms. Formally, at a local state £, an adversary using knowledge algorithm Aj can 
construct the messages in the set C{i), defined to be the closure under cone and encr of 
the set {m | Aj(haSj(m), = "Yes"} of messages that adversary i has. 

Once we consider active adversaries, we must consider whether they are insiders or 
outsiders. Intuitively, an insider is an adversary that other agents know about, and can 
initiate interactions with. (Insider adversaries are sometimes called corrupt principals or 
dishonest principals.) As we mentioned in the introduction, the difference between insiders 
and outsiders was highlighted by Lowe's [1995] man-in-the-middle attack of the Needham- 
Schroeder protocol. 

An interpreted algorithmic knowledge security system with active (insider) adversary a 
(a G {1, . . . , n} j is an interpreted algorithmic knowledge security system I = (TZ, tt, Ai , . . . , A„) 
satisfying the following constraints at all points {r,m). 

Al. For every recv(m) G ra{m), there is a corresponding send(j, m) in ri{m) for some i. 
A2. For every send(j, m) G ra{m), we have m € C{ra{m)). 

Al says that every message sent by the agents can be intercepted by the adversary and end 
up in the adversary's local state, rather than reaching its destination. A2 says that every 
message sent by the adversary must have been constructed out of the messages in his local 
state according to his capabilities. (Note that the adversary can forge the "send" field of 
the messages.) 

To accommodate outsider adversaries, it suffices to add the restriction that no message 
is sent directly to the adversary. Formally, an interpreted algorithmic knowledge security 
system with active (outsider) adversary a (a £ {1, . . . ,n}) is an interpreted algorithmic 
knowledge security system I = (TZ, it, Ai, . . . , A„) with an active insider adversary a such 
that for all points (r, m) and for all agents i, the following additional constraint is satisfied. 

A3. For every send(j, m) G ri(m), j ^ a. 



17 



5 Related Work 



The issues we raise in this paper are certainly not new, and have been addressed, up to 
a point, in the hterature. In this section, we review this hterature, and discuss where we 
stand with respect to other approaches that have attempted to tackle some of the same 
problems. 

As we mentioned in the introduction, the Dolev-Yao adversary is the most widespread 
adversary in the literature. Part of its attraction is its tractability, making it possible to 
develop formal systems to automatically check for safety with respect to such adversaries 
[Millen, Clark, and Freedman 1987; Mitchell, Mitchell, and Stern 1997; Paulson 1998; Lowe 
1998; Meadows 1996]. The idea of moving beyond the Dolev-Yao adversary is not new. 
As we pointed out in Section 4.1.3, Lowe [2002] developed an adversary that can encode 
some amount of off-line guessing; we showed in Section 4.1.3 that we could capture such 
an adversary in our framework. Other approaches have the possibility of extending the 
adversary model. For instance, the framework of Paulson [1998], Clarke, Jha and Morrero 
[1998], and Lowe [1998] describe the adversary via a set of derivation rules, which could 
be modified by adding new derivation rules. We could certainly capture these adversaries 
by appropriately modifying our kf^ knowledge algorithm. (Pucella [2006] studies the prop- 
erties of algorithmic knowledge given by derivation rules in more depth.) However, these 
other approaches do not seem to have the flexibility of our approach in terms of capturing 
adversaries. Not all adversaries can be conveniently described in terms of derivation rules. 

There arc other approaches that weaken the Dolev-Yao adversary assumptions by either 
taking concrete encryption schemes into account, or at least adding new algebraic identities 
to the algebra of messages. Bieber [1990] does not assume that the encryption scheme is 
a free algebra, following an idea due to Merritt and Wolper [1985]. Even et al. [1985] 
analyze ping-pong protocols under RSA, taking the actual encryption scheme into account. 
The applied 7r-calculus of Abadi and Fournet [2001] permits the definition of an equational 
theory over the messages exchanged between processes, weakening some of the encryption 
scheme assumptions when the applied 7r-calculus is used to analyze security protocols. Since 
the encryption scheme used in our framework is a simple parameter to the logic, there is 
no difficulty in modifying our logic to reason about a particular encryption scheme, and 
hence we can capture these approaches in our framework. However, again, it seems that 
our approach is more flexible than these other approaches; not all adversaries can be defined 
simply by starting with a Dolev-Yao adversary and adding identities. 

On a related note, the work of Abadi and Rogaway [2002], building on previous work 
by Bellare and Rogaway [1993], compare the results obtained by a Dolev-Yao adversary 
with those obtained by a more computational view of cryptography. They show that, under 
various conditions, the former is sound with respect to the latter, that is, terms that are 
assumed indistinguishable in the Dolev-Yao model remain indistinguishable under a concrete 
encryption scheme. It would be interesting to recast their analysis in our setting, which, as 
we argued, can capture both the Dolev-Yao adversary and more concrete adversaries. 

The use of a logic based on knowledge or belief is also not new. A number of formal logics 
for analysis of security protocols that involve knowledge and belief have been introduced, 
going back to BAN logic [Burrows, Abadi, and Needham 1990], such as [Bieber 1990; 
Gong, Needham, and Yahalom 1990; Syverson 1990; Abadi and Tuttle 1991; Stubblebine 
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and Wright 1996; Wedel and Kessler 1996; Accorsi, Basin, and Vigano 2001]. The main 
problem with some of those approaches is that semantics of the logic (to the extent that one 
is provided) is typically not tied to protocol executions or attacks. As a result, protocols 
are analyzed in an idealized form, and this idealization is itself error-prone and difficult to 
formalize [Mao 1995].^ While some of these approaches have a well-defined semantics and 
do not rely on idealization (e.g., [Bieber 1990; Accorsi, Basin, and Vigano 2001]), they are 
still restricted to (a version of) the Dolev-Yao adversary. In contrast, our framework goes 
beyond Dolev-Yao, as we have seen, and our semantics is directly tied to protocol execution. 
Other approaches have notions of knowledge that can be interpreted as a form of algorithmic 
knowledge ([Durgin, Mitchell, and Pavlovic 2003], for instance), but the interpretation of 
knowledge is fixed in the semantics of the logic. 

The problem of logical omniscience in logics of knowledge is well known, and the liter- 
ature describes numerous approaches to try to circumvent it. (Sec [Fagin, Halpern, Moses, 
and Vardi 1995, Chapter 10 and 11] for an overview.) In the context of security, this takes 
the form of using different semantics for knowledge, either by introducing hiding operators 
that hide part of the local state for the purpose of indistinguishability or by using notions 
such as awareness [Fagin and Halpern 1988] to capture an intruder's inability to decrypt 
[Accorsi, Basin, and Vigano 2001].^ We now describe these two approaches in more detail. 

The hiding approach is used in many knowledge-based frameworks as a way to define an 
essentially standard semantics for knowledge not subject to logical omniscience, at least as 
far as cryptography is concerned. Abadi and Tuttle [1991], for instance, map all messages 
that the agent cannot decrypt to a fixed symbol □; the semantics of knowledge is modified 
so that s and ,s' arc indistingTiisliable to agent i when the local state of agent i in s and 
s' is the same after applying the mapping described above. Syverson and van Oorschot 
[1994] use a variant: rather than mapping all messages that an agent cannot decrypt to 
the same symbol □, they use a distinct symbol D-j, for each distinct term x of the free 
algebra modeling encrypted messages, and takes states containing these symbols to be 
indistinguishable if they are the same up to permutation of the set of symbols dx- Thus, an 
adversary may still do comparisons of encrypted messages without attempting to decrypt 
them. Hutter and Schairer [2004] use this approach in their definition of information flow 
in the presence of symbolic cryptography, and Garcia et al. [2005] use it in their definition 
of anonymity in the presence of symbolic cryptography.^ This approach deals with logical 
omniscience for encrypted messages: when the adversary receives a message m encrypted 
with a key that he does not know, the adversary does not know that he has m if there 
exists another state where he has received a different message m' encrypted with a key he 
does not know. However, the adversary can still perform arbitrary computations with the 

^While more recent logical approaches (e.g., [Clarke, Jha, and Marrero 1998; Durgin, Mitchell, and 
Pavlovic 2003]) do not suffer from an idealization phase and are more tied to protocol execution, but they 
also do not attempt to capture knowledge and belief in any general way. 

®A notion of algorithmic knowledge weis defined by Moses [1988] and used by Halpern, Moses and Tuttle 
[1988] to analyze zoro-knowledge protocols. Although related to algorithmic knowledge as defined here, 
Moses' approach does not use an explicit algorithm. Rather, it checks whether these exists an algorithm of 
a certain class (for example, a polynomial-time algorithm) that could compute such knowledge. 

variant of this apprach is developed by Cohen and Dam [2005] to deal with logical omniscience in a 
first-order interpretation of BAN logic. Rather than using a symbol □ to model that a message is encrypted 
with an unknown key, they identify messages in different states encrypted using an unknown key. 
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data that he does know. Therefore, this approach does not directly capture computational 
limitations, something algorithmic knowledge takes into account. 

Awareness is a more syntactical approach. Roughly speaking, the semantics for aware- 
ness can specify for every point a set of formulas of which an agent is aware. For instance, 
an agent may be aware of a formula without being aware of its subformulas. A general prob- 
lem with awareness is determining the set of formulas of which an agent is aware at any 
point. One interpretation of algorithmic knowledge is that it characterizes what formulas 
an agent is aware of: those for which the algorithm says "Yes" . In that sense, we subsume 
approaches based on awareness by providing them with an intuition. We should note that 
not every use of awareness in the security protocol analysis literature is motivated by the 
desire to model more general adversaries. Accorsi et al. [2001], for instance, describe a logic 
for reasoning about beliefs of agents participating in a protocol, much in the way that BAN 
logic is used to reason about beliefs of agents participating in a protocol. To deal with the 
logical omniscience problem, Accorsi et al. use awareness to restrict the set of facts that 
an agent can believe. Thus, an agent may be aware of which agent sent a message if she 
shares a secret with the sender of the message, and not be aware of that fact otherwise. 
This makes the thrust of their work different from ours. 

6 Conclusion 

We have presented a framework for security analysis using algorithmic knowledge. The 
knowledge algorithm can be tailored to account for both the capabilities of the adversary 
and the specifics of the protocol under consideration. Of course, it is always possible 
to take a security logic and extend it in an ad hoc way to reason about adversary with 
different capabilities. Our approach has a number of advantages over ad hoc approaches. 
In particular, it is quite general framework (we simply need to change the algorithm used by 
the adversary to change its capabilities, or add adversaries with different capabilities), and 
it permits reasoning about protocol-specific issues (for example, it can capture situations 
such as an agent sending the bits of her key) . 

Another advantage of our approach is that it naturally extends to the probabilistic 
setting. For instance, we can easily handle probabilistic protocols by considering multiagent 
systems with a probability distribution on the runs (see [1993]). We can also deal with 
knowledge algorithms that are probabilistic, although there are some additional subtleties 
that arise, since the semantics for Xi given here assumes that the knowledge algorithm is 
deterministic. In a companion paper [Halpern and Pucella 2005], we extend our approach 
to deal with probabilistic algorithmic knowledge, which lets us reason about a Dolev-Yao 
adversary that attempts to guess keys subject to a distribution. We hope to use this 
approach to to capture probabilistic adversaries of the kind studied by Lincoln et al. [1998]. 

The goal of this paper was to introduce a general framework for handling different 
adversary models in a natural way, not specifically to devise new attacks or adversary 
capabilities. With this framework, it should be possible to put on a formal foundation new 
attacks that are introduced by the community. We gave a concrete example of this with 
the "guess-and-confirm" attacks of Lowe [2002] . 

It is fair to ask at this point what we can gain by using this framework. For one thing, 
we believe that the ability of the framework to describe the capabilities of the adversary will 
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make it possible to specify the properties of security protocols more precisely. Of course, it 
may be the case that to prove correctness of a security protocol with respect to certain types 
of adversaries (for example, polynomial-time bounded adversaries) we will need to appeal 
to techniques developed in the cryptography community. However, we believe that it may 
well be possible to extend current model-checking techniques to handle more restricted 
adversaries (for example, Dolev-Yao extended with random guessing). This is a topic that 
deserves further investigation. In any case, having a logic where we can specify the abilities 
of adversaries is a necessary prerequisite to using model-checking techniques. 
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